How to combat mobile commerce fraud

Note: Our combating mobile commerce fraud article has been fully updated. This feature was first published in November 2013.

It is estimated that Britons will spend nearly £15 billion (around $23 billion, AU$31 billion) on mobile devices in 2015 alone. This huge amount of money has of course begun to attract the attention of fraudsters. With the introduction of Chip & PIN and the expansion of stronger security systems in retail outlets, fraudsters have begun to switch their attention to the m-commerce market.

Says CyberSource: "The ability to understand how consumer behaviour differs when using mobile devices; to capture data that is relevant to the mobile channel and implement appropriate fraud management tools and rules; to track and analyse m-commerce chargeback, rejection and review rates and fine-tune your strategy in response - all have clear implications for the experience that both customers and fraudsters will have when they interact with you through the mobile channel."

For retailers the growth in their mobile channels poses a challenge to ensure levels of fraud are kept to a minimum. Being vigilant and also evolving the tools your business uses to track and prevent fraud are critical.

Increase in mobile transactions

What is clear for all businesses is that firstly the number of transactions their customers complete on mobile devices will massively increase, and secondly that they will need to overhaul their payment systems to cope with this demand and to also prevent fraud.

Getting more information about the mobile devices being used to make purchases from your business is a practical step that will give you data about the purchaser that fraud prevention applications can use to assess an order and decide whether to accept or reject it.

Narayan Sivaram, VP and regional head of cards and payments at Infosys, commented: "The acceptance of emerging payment acceptance form factors (the Internet of Things, smartphones, wearables), wallets (Apple Pay, Android Pay, Samsung Pay, Merchant Customer Exchange [MCX]) and the need to secure payments from fraud are forcing merchants to move to a more flexible and modern payment architecture."

EMV impact

Additionally, the imminent move to EMV (Europay, MasterCard and Visa) that is rolling out in the US could have a major impact on Card Not Present transactions and therefore potential card frauds. In its True Cost of Fraud report, LexisNexis advises: "Do not rely on EMV to eliminate fraud - tokenization must be used in conjunction with 3-D Secure because multi-channel merchants are attractive data breach and fraud targets."

The report further noted: "While EMV is highly effective at preventing POS fraud, when used for e-commerce purchases card data is still vulnerable to compromise and subsequent misuse - including static CVC2 data.

"3-D Secure provides for improved authentication of the cardholder during e-commerce and m-commerce transactions, reducing the efficacy of fraudsters' attempts to misuse card data compromised from a breach. And merchants can safely store and transmit tokens as proxies for primary account numbers (PANs) card data and are also more easily replaced."

Fraud goes mobile

So what are the actual threats that mobile retailing has to face? Just as desktop and notebook computers face malware and virus attack, mobile devices are not immune. In addition, because many transactions are now done wirelessly over a retailer's Wi-Fi network, these networks are also vulnerable to attack.

According to Alcatel-Lucent's Motive Security Labs, malware infections are on the increase. The Motive Security Labs Malware Report 2014 estimates that worldwide about 16 million mobile devices are infected by malware. "Mobile malware is increasing in sophistication with more robust command and control protocols," the company states in its report.

Not surprisingly the vast majority of infections are on Windows and Android devices, and Apple - with its walled garden approach to hardware and software development - sees the lowest level of attack and infections.

The Mobile Payments Security 101 report from Networld Media Group also states: "The rise in app-related fraud is due largely to the fact that mobile apps seldom have the infrastructure necessary to enable adequate mobile device identification and profiling, ThreatMetrix says."

The report further notes that ThreatMetrix - in its paper, Fraud Protection for Mobile Applications - adds: "Additionally, implementing these features requires skills far beyond those of most mobile app developers. As a result, mobile apps frequently lack a number of security features, and it's difficult for fraud-prevention systems to determine if the device in question is being used legitimately - creating a prime opportunity for fraudsters."

The huge popularity of apps has of course attracted the attention of the fraudsters. Here in-app purchases are often the target, where games developers for instance need to differentiate between a genuine in-app purchase and one that has used stolen currency.

Services such as Adjust.com can offer a level of protection, but users with phones that have been jailbroken are difficult to protect.

Fraud checklist
Your fraud checklist

"When businesses discover that their mobile fraud rate is higher than they'd like, their first instinct may be to react quickly, with 'blunt' rules that cause them to review or reject more mobile orders," says CyberSource. "This approach may enable more fraudulent orders to be identified, but there's a significant risk of catching genuine orders in the same net."

Follow these steps to protect your mobile business:
1. Distinguish your channels
As retail now uses multiple channels, it's important to track and differentiate orders from mobile channels and your business' wider e-commerce activity. These insights will enable you to see whether mobile fraud is actually increasing.

2. Choose the right tools
To detect and prevent mobile fraud, using the right detection tools is vital. However, many retailers simply use the same fraud prevention tools they have for their e-commerce sites for their mobile channel.

3. Analyse your chargeback channels
Fraud can be one of the main causes of chargebacks. According to a Chase Payments survey, chargebacks are highest from a PC website (36%), from mobile-enabled websites (21%) or from mobile apps (15%).

4. Use a layered approach
Fraudsters use many channels to attack their victims, so it makes sense to also have a number of security layers to protect your customers. Look at every piece of personal information and where this is stored and exposed. Ensure all Card Not Present transactions are protected at every customer facing point.

5. Pay attention to EMV
This new system is now live, which means your business must be more vigilant about potential fraud. Always use several fraud protection mechanisms to detect potential card misuse such as 3-D Secure.

6. Check your PCI compliance
The Payment Card Industry Data Security Standard (PCI DSS) has a minimum level of security that all merchants should adhere to. Check the PCI website for updates to this guidance.

7. Analyse in-app purchases
If your business uses apps, paying close attention to the analytics of your apps will reveal patterns of usage that could mean fraud. Fraud scanning services such as Maxmind can also help you identify potential fraud accounts and orders.

Conclusion
Stuart Reed, senior director of Global Product Marketing at NTT Com Security, concludes: "Have a well-defined and well-communicated incident response plan should a security breach occur in order to minimise the impact and cost of incidents - our own Global Threat Intelligence Report indicates that 74% of companies do not have an incident response plan in place."

Fraud is a fact of life for all online businesses. With m-commerce set to become even more popular than e-commerce, having strong fraud protection and prevention systems in place is a must for all businesses.